Identifying an attacked computing device

ABSTRACT

A computer implemented method to identify an attacked computing device in a system of network-connected computing devices providing a plurality of computing services, the method including receiving a first data structure including data modeling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of such vulnerabilities to identify one or more series of exploits involved in a network attack; receiving a second data structure including data modeling the computing devices in the system including the network connections of each computing device; and comparing the first and second data structures to identify the attacked computing device as an intermediate device in communications between at least two computer services in any of the one or more series of exploits.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims priority to EP Application No. 16207655.8 filed Dec. 30, 2016, and GB Application No.: 1622449.5 filed Dec. 30, 2016, each of which is hereby incorporated by reference in its entirety.

TECHNICAL FIELD

The present disclosure relates to the detection of network attacks for a computer system.

BACKGROUND

Network-connected computer systems can include network-connected computing devices providing computing services. A computer network used for communication with the devices and services can be used by malicious entities to mount attacks on a computer system and the devices and/or services therein. Such attacks can include unauthorized access, use and/or modification of computing resources.

SUMMARY

Thus there is a need to protect network-connected computer systems from such attacks.

The present disclosure accordingly provides, in a first aspect, a computer implemented method to identify an attacked computing device in a system of network-connected computing devices providing a plurality of computing services, the method comprising: receiving a first data structure including data modeling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of such vulnerabilities to identify one or more series of exploits involved in a network attack; receiving a second data structure including data modeling the computing devices in the system including the network connections of each computing device; and comparing the first and second data structures to identify the attacked computing device as an intermediate device in communications between at least two computer services in any of the one or more series of exploits.

In some embodiments the method further comprises, in response to the identification of the attacked computing device, implementing protective measures to protect the attacked computing device from the attack.

In some embodiments the first data structure is an attack graph.

In some embodiments the attack graph is a directed acyclic graph data structure.

In some embodiments the second data structure is a network map.

In some embodiments the second data structure is automatically generated by software adapted to map a networked computer system.

The present disclosure accordingly provides, in a second aspect, a computer system including a processor and memory storing computer program code for performing the method set out above.

The present disclosure accordingly provides, in a third aspect, a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the method set out above.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present disclosure will now be described, by way of example only, with reference to the accompanying drawings, in which:

FIG. 1 is a block diagram of a computer system suitable for the operation of embodiments of the present disclosure.

FIG. 2 is a component diagram of an attack detector for identifying a network attack in a network-connected computer system in accordance with embodiments of the present disclosure.

FIG. 3 depicts an exemplary attack graph for an attack in the computer system of FIG. 2 in accordance with embodiments of the present disclosure.

FIG. 4 is a flowchart of a method to identify a network attack in a network-connected computer system in accordance with embodiments of the present disclosure.

FIG. 5 is a component diagram of an exemplary traffic filter for use with the attack detector of FIG. 1 in accordance with embodiments of the present disclosure.

FIG. 6 is a flowchart of a method to identify a network attack in a network-connected computer system using a traffic filter such as that illustrated in FIG. 5 in accordance with embodiments of the present disclosure.

FIG. 7 is a component diagram of an attack detector for identifying a network attack based on a network map in accordance with embodiments of the present disclosure.

FIG. 8 is a flowchart of a method to identify an attacked computing device in a network-connected computer system in accordance with embodiments of the present disclosure.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of a computer system suitable for the operation of embodiments of the present disclosure. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection.

FIG. 2 is a component diagram of an attack detector 220 for identifying a network attack in a network-connected computer system 200 in accordance with embodiments of the present disclosure. The computer system 200 is a purely exemplary configuration of network-connected computing devices “Host 0”, “Host 1”, “Host 2” and a “Firewall” such that the Firewall is intermediate to Host 0, on one side of the Firewall, and Hosts 1 and 2 on another side of the Firewall. Each of the computing devices can be hardware, software, firmware or combination components that are adapted to communicate via a communications network 210. In some embodiments one or more of the computing devices can be virtualized devices. The network 210 can be a wired, wireless, local or wide area network or a combination of any or all of these types of network. In some embodiments, at least part of the network 210 is a public network such as the internet. For example, in one arrangement Host 0 and the Firewall are connected to the internet and each of Host 1 and Host 2 are connected to a private or intranet network separated from the internet by the Firewall.

At least some of the computing devices provide computing services in the system 200. In the exemplary arrangement of FIG. 2: Firewall provides service “sv0”; Host 1 provides services “sv1”, “sv2” and “sv3”; and Host 2 provides services “sv4” and “sv5”. Computing services can be hardware, software, firmware or combination services such as functions, facilities, routines, procedures, applications or the like. Such services typically involve a network communication component. For example, computing services can include: file transfer services such as software using a file transfer protocol (FTP); shell or remote desktop services such as remote shell (rsh), secure shell (ssh), telnet, remote desktop protocol (RDP), TeamViewer, Remote Utilities, Ammyy Admin, Virtual Network Computing (VNC), AeroAdmin, Windows Remote Desktop, Remote PC, Firnass, Chrome Remote Desktop, AnyDesk, Lync, Skype for Business or the like; mail, messaging, collaboration or communication software such as electronic mail software using a mail transport protocol such as the simple mail transfer protocol (SMTP), instant messaging applications such as Lync, Skype, Sametime, Facebook Messenger, WhatsApp, WeChat, Snapchat, Telegram, Line, Viber, Facetime and the like, and peer-to-peer communications services such as torrent software; name resolution and/or domain name services (DNS); host initialization services such as bootstrap protocols; network host management services such as services employing the simple network management protocol (SNMP); applications such as a server using hypertext transfer protocol (HTTP), network news transfer protocol (NNTP), application server, media server including, inter alia, video, audio, image and/or document servers such as multimedia communications services using a H.323 protocol, network server, entertainment server such as a game server or the like; security or protective services such as a network proxy, firewall, intrusion detection, virus detection, malware detection and the like; services for peripheral devices such as network printer services, network scanner services, network attached storage, network file system (NFS), network attached manufacturing, machining, tooling or engineering devices or apparatus such as robots, additive manufacturing devices (such as 3D printers), formative manufacturing devices, physical transport devices, machine forming apparatus and the like; blockchain services; services providing remote procedure call or remote method invocation facilities over a network; anonymity services such as Tor; telephony such as voice over internet protocol, video conferencing protocols, audio and or video communication and the like; and other computing services as will be apparent to those skilled in the art.

Notably, any particular computer service can include an identification of a network configuration such as one or more particular network ports and/or protocols such that a single software component (e.g. server, web server or the like) can provide potentially multiple computing services such as via different ports and/or protocols.

The computer system 200 is arranged with one or more network security components such as an intrusion detection system (IDS) 232. The IDS 232 is a software, hardware, firmware or combination component adapted to monitor one or more aspects of the computer system 200 to identify one or more of: actual or potential malicious activity occurring in, by, to or in relation to computing devices in the system 200; and violations or deviations from a policy, acceptable or determined normal or typical behavior or activity of computing devices in the system 200. For example, the IDS 232 can be a network intrusion detection system (NIDS) configured to monitor traffic to and from computing devices and/or services at one or more points in the network of the system 200. Additionally or alternatively, the IDS 232 can be a host intrusion detection system (HIDS) run on or in association with one or more computing devices of the system 200 to, for example, monitor inbound and outbound network communication such as network packets at those computing devices. Other such suitable IDS components may be apparent to those skilled in the art. Whichever type or types of IDS 232 are deployed, the IDS 232 detects attacks or potential attacks of computing services in the system 200. For example, the IDS 232 can employ a signature-based attack detection mechanism in which one or more rules and/or patterns indicating an attack are used, such as byte sequences in network traffic or known malicious instruction sequences used by malicious software. Additionally or alternatively, the IDS 232 can employ an anomaly-based attack detection mechanism where a model of trustworthy activity is used to identify a deviation from such activity as a potential attack. Thus, in use, the IDS 232 is operable to identify computer services in the system 200 for which attacks or potential attacks are detected. While a single IDS 232 is illustrated in FIG. 2 it will be appreciated by those skilled in the art that any number of such facilities may be provided. Further, while the IDS 232 of FIG. 2 is illustrated external to the system 200 it will be appreciated by those skilled in the art that such facilities may be provided internal to, in communication with, integral to or remote from devices and/or services of the system 200.

The arrangement of FIG. 2 further includes an attack graph 230. The attack graph 230 is organized as a data structure including data modeling relationships between known vulnerabilities of one or more computing services in the system 200 and potential exploits of those vulnerabilities employed to achieve a particular network attack of the system 200. Thus the attack graph 230 identifies one or more series of exploits and/or steps involved in a network attack. The attack graph 230 is thus generated based on knowledge of vulnerabilities of computing services and how those vulnerabilities can be exploited. Extensive databases of vulnerability and exploit information can be used to inform the generation of such graphs such as the definition of Common Vulnerabilities and Exposures (CVE) maintained by MITRE Corporation as the National Cybersecurity Federally Funded Research and Development Center (FFRDC) in the USA. For example, MITRE Corporation provide CVE details at www.cvedetails.com including vulnerabilities categorized by type and providing information for each vulnerability including: a vulnerability score using the Common Vulnerability Scoring System (CVSS) indicating a severity of the vulnerability (“Common Vulnerability Scoring System, V3 Development Update,” First.org, Inc., available at www.first.org/cvss); a potential impact of the vulnerability in a number of respects including an indication of impact on confidential information, integrity and availability of a computing service; an indication of a level of complexity involved to exploit the vulnerability; whether unauthorized or malicious access to computing services, resources, devices or systems can be gained by exploiting the vulnerability; and computing services such as products affected by the vulnerability. In CVE vulnerabilities are generally categorized into the following types: denial of service (DoS); code execution; overflow; memory corruption; structured query language (SQL) injection; cross-site scripting (XSS); directory traversal; HTTP response splitting; bypassing; gaining information; gaining privileges; cross-site request forgery (CSRF); and file inclusion.

Attack graphs can be structured as directed acyclic graphs indicating paths that an attacker can take to reach a given goal (the attack objective). Thus attack graphs indicate sequences of exploits of vulnerabilities, for example each successive exploit can result in an attacker obtaining additional security privileges towards the attack objective. Attack graphs are described in detail in “Measuring Network Security Using Bayesian Network-Based Attack Graphs” (Marcel Frigault and Lingyu Wang, January 2008, DOI: 10.1109/COMPSAC.2008.88⋅Source: IEEE Xplore); “Measuring Network Security Using Bayesian Network-Based Attack Graphs—A Thesis in the Concordia Institute for Information Systems Engineering” (Marcel Frigault, March 2010, Concordia University, Montreal, available at spectrum.library.concordia.ca/979259); and “Exact Inference Techniques for the Dynamic Analysis of Bayesian Attack Graphs” (Luis Munoz-Gonzalez, Daniel Sgandurra, Martin Barrere, and Emil Lupu, October 2015).

FIG. 3 depicts an exemplary attack graph 230 for an attack in the computer system 200 of FIG. 2 in accordance with embodiments of the present disclosure. The illustrative exemplary attack graph 230 of FIG. 3 relates to an attack in which the attack objective for an attacker with user access to Host 0 of FIG. 2 to gain privileged root access on Host 2 through which the attacker may make malicious use of, or have malicious effect on, Host 2. In the attack graph 230 conditions or states are represented in boxes with rounded corners where a device involved is indicated inside parentheses (i.e. “(0)” indicates Host 0; “(1,2)” indicates some relationship between Host 1 and Host 2, etc.). Vulnerabilities are depicted in boxes with squared corners, indicating a source and destination device inside parentheses (i.e. “source, destination”). Thus according to the attack graph 230 an attacker can follow three paths starting from the topmost state “user(0)” to achieve the attack objective. Each path will be outlined briefly in turn.

According to a first attack path through the graph 230, at the initial state “user(0)” the attacker can exploit a vulnerability in computing service sv4 of Host 2 to achieve a state of trust between Host 0 and Host 2. Subsequently, in this state of trust the attacker can exploit a vulnerability in sv5 of Host 2 to achieve a state of user level access to Host 2. Finally the attacker can exploit a further vulnerability in sv5 of Host 2 to achieve a state of root level access to Host 2.

According to a second attack path through the graph 230, at the initial state “user(0)” the attacker can exploit a vulnerability in computing service sv2 of Host 1 to achieve a state of user level access to Host 1. The attacker can then exploit a vulnerability in service sv4 of Host 2 to achieve a state of trust between Host 1 and Host 2. Subsequently, in this state of trust the attacker can exploit a vulnerability in sv5 of Host 2 to achieve a state of user level access to Host 2. Finally the attacker can exploit a further vulnerability in sv5 of Host 2 to achieve a state of root level access to Host 2.

According to a third attack path through the graph 230, at the initial state “user(0)” the attacker can exploit a vulnerability in computing service sv3 of Host 1 to achieve a state of user level access to Host 1. The attacker can then exploit a vulnerability in service sv4 of Host 2 to achieve a state of trust between Host 1 and Host 2. Subsequently, in this state of trust the attacker can exploit a vulnerability in sv5 of Host 2 to achieve a state of user level access to Host 2. Finally the attacker can exploit a further vulnerability in sv5 of Host 2 to achieve a state of root level access to Host 2.

Notably, in addition to identifying the attack paths to achieve the attack objective in the system 200, the attack graph 230 identifies all computing services potentially exploited in an attack to achieve the attack objective. Thus, according to the exemplary attack graph 230, services sv2, sv3, sv4 and sv5 are potentially exploited though services sv0 and sv1 are not so indicated. Furthermore, the identification of exploited computing services in the attack graph 230 permits an identification of computing devices having the computing services exploited to achieve the attack objective. Thus compromised computing devices can also be identified from the attack graph 230.

Returning to FIG. 2, an attack detector 220 is provided as a hardware, software, firmware or combination component for identify a network attack based on a signature of malicious network traffic identifying the attack. As previously described with respect to IDS 232, a signature includes a definition of one or more rules and/or patterns which, when applied to and/or compared with network traffic, can be used to identify a network attack. In some embodiments signatures can include, inter alia, byte sequences in network traffic or known malicious instruction sequences used by malicious software. Additionally or alternatively signatures can include metrics or measures evaluated for network traffic such as a measure of entropy (such as Shannon Entropy) for at least some portion of network traffic as described in detail in international patent publication WO 2015/128609 (British Telecommunications public limited company). Other patterns and/or rules indicated in a signature for attack detection include: the identification of particular network response data; network traffic having a particular size, length, volume, structure and/or constitution; a series of network communications occurring between two or more computing services of devices conforming to a particular rule or arrangement; a frequency or duration of network traffic or communications; an identification of one or more particular byte sequences, types of byte sequence, packet sequences, types of packet sequence, messages or the like including such as might be identified in no particular order to detect network traffic arising from a polymorphic attack; and other such signature features as will be known to those in the art or as may be conceived in future for detecting malicious network traffic.

The attack detector 220 according to embodiments of the present disclosure generates the attack signature using the signature generator 224 based on network traffic. Accordingly, in use the signature generator 224 operates on network traffic 234 that is known to include malicious network traffic for the network attack. In this way a generated signature can be known to be derived from known malicious network traffic for subsequent use in production computer systems on which basis potential attacks may be identified.

In contrast to the generation of attack signatures in the art, the signature generator 224 according to embodiments of the present disclosure operates on the basis of only a subset of network traffic obtained from the computing system 200. The subset of network traffic is obtained by filtering network traffic 234 obtained from the computing system by a traffic filter 222 as will be described below.

The traffic filter 222 is a software, hardware, firmware or combination component for filtering network traffic 234 obtained from the computing system 200. The network traffic 234 can be obtained and processed in real-time over a period of time or can be stored and accessed in batch. The traffic filter 222 identifies a proper subset of the network traffic 234 by filtering the network traffic 234 such that the subset includes only network traffic that is both associated with computing services being identified by the attack graph 230; and with computing services identified by the IDS 232 as being currently subject to a network attack. Thus, embodiments of the present invention generate an attack signature by the signature generator 224 based on a subset of the network traffic 234 being only the network traffic relevant to computing services indicated by the attack graph 230 and being identified by the IDS 232 as being currently subject to an attack. In this way, the basis for the definition of the attack signature is concentrated on a subset of pertinent network traffic resulting in more accurate and effective attack signature generation. Furthermore, the efficiency of the attack signature generation process is improved because the exclusion of network traffic data reduces the data processing requirements of the signature generator 224. Yet further the quality of the signature itself is improved as the signature is generated based only on pertinent network traffic without being affected by traffic associated with computing services not involved in the network attack or not identified as being subject to attack.

As will be apparent to those skilled in the art, a proper subset of a first set is a subset of the first set that is not equal to the first set.

As previously described the attack graph 230 can be used to identify a subset of computing services in the system 200 potentially involved in the network attack. Where the subset of computer services is a proper subset of the set of all computing services in the system 200 then advantages of embodiments of the present disclosure are realized because the signature generator 224 generates an attack signature on the basis of a reduced set of network traffic corresponding to a subset of network traffic associated with computing services involved in the network attack according to the attack graph 230 (i.e. a proper subset of the set of all network traffic 234).

Additionally, the subset of computer services is further refined to define a second subset of computer services containing only computer services identified by the IDS 232 as being subject to an attack. In this way a further subset of network traffic can be determined on which basis the signature generator 224 operates to generate the attack signature.

The attack signature is used by a traffic monitor 226 which is a hardware, software, firmware or combination component of the attack detector 220 to monitor production and/or operational network traffic 234 for the system 200. The traffic monitor 226 uses the generated attack signature to identify the network attack occurring in the system 200 and where such attacks are identified they are flagged as network attack identifications 250.

FIG. 4 is a flowchart of a method to identify a network attack in a network-connected computer system 200 in accordance with embodiments of the present disclosure. The method operates with the system 200 known to be subject to the network attack such that the attack is exhibited in network traffic 234. Initially, at 462, the traffic filter 222 filters the network traffic 234 to include only network traffic associated with computer services identified: by the attack graph 230 for the network attack; and by the IDS 232 as being subject to a network attack. At 464 the signature generator 224 generates a signature of malicious network traffic based on only the filtered network traffic from 462. At 466 the traffic monitor 226 monitors network traffic 234 (where the system 200 now operates in a production or operational mode, not known to be subject to the network attack). At 468, where the traffic monitor 226 identifies network traffic exhibiting or conforming to the signature the method proceeds to 470 where, for example, the attack is identified, flagged and/or remedial or responsive measures are taken.

FIG. 5 is a component diagram of an exemplary traffic filter 222 for use with the attack detector 220 of FIG. 1 in accordance with embodiments of the present disclosure. FIG. 5 is to be read in conjunction with FIG. 6 which is a flowchart of a method to identify a network attack in a network-connected computer system 200 using a traffic filter 222 in accordance with embodiments of the present disclosure.

The traffic filter 222 according to FIG. 5 includes two filters as software, hardware, firmware or combination components: a first filter 522 for filtering network traffic data 234 based on the attack graph 230 to generate a first proper subset of network traffic 524; and a second filter 528 for filtering the first proper subset of network traffic 524 based on computing services identified by the IDS 232 as being subject to an attack to generate the second subset of network traffic 530. The second filter thus operates on the basis of a service identifier 526 component as a hardware, software, firmware or combination component for identifying services indicated by the IDS 232 as being subject to an attack or intrusion. The second subset of network traffic 530 accordingly excludes network traffic associated with computing services not indicated by the attack graph 230 or identified as being subject to attack or intrusion by the IDS 232.

Thus the first filter 522 receives the attack graph 230 (at 682) as a data structure containing data identifying one or more series of exploits and/or steps involved in a network attack. The first filter 522 accesses (at 684) a set of all network traffic 234 known to include malicious network traffic to identify (at 686) a proper subset of network traffic 524 that excludes network traffic involved in communication with computing services other than those identified in the attack graph 230. At 688 the service identifier 526 defines a subset of computer services identified by the IDS 232 as being subject to attack or intrusion. Subsequently, at 690, the second filter 528 is applied to the proper subset of network traffic 524 to define the second subset of network traffic 530 that further excludes traffic involved in communication with computer services other than those identified as being subject to attack or intrusion. Subsequently, at 692, the second subset of network traffic 530 is used by the signature generator 224 as previously described to generate a signature of malicious network traffic. Notably the tasks 466, 468 and 470 of FIG. 4 could further apply subsequent to task 692 in FIG. 6 to monitor a production system 200 for network attack and respond accordingly.

Consideration now turns to the closely related challenge of identifying an attacked computing device in a system of network-connected computing devices providing computing services. In particular, while the attack graph 230 indicates computing services exploited to achieve a network attack (and correspondingly computing devices that provide or include those services), further advantages can be realized from the attack graph 230 in a production computer system to identify additional computing devices that are subject to attack where such an attack has not been previously known. Such attacks that have not been previously known are commonly referred to as “zero day” attacks because there may be little or no experience of the attacks or the attacks may have evaded detection such that intrusion detection systems and security software such as IDS 232 may not yet be configured to detect such attacks.

FIG. 7 is a component diagram of an attack detector 770 for identifying a network attack based on a network map 772 in accordance with embodiments of the present disclosure. Many of the features of FIG. 7 are common with those of FIG. 2 and these common features will not be repeated here. The network map 772 is a data structure representation including data modeling computing devices in the computing system 200 including the network connections of each computing device such that the map 772 provides an overall representation of the computing system 200. Such a network map 772 can be provided by an operator, designer or installer of the system 200 or the map 772 can be at least partly generated using an automatic network mapping tool such as OpNet (www.opnet.com) or SkyBox (www.skyboxsecurity.com). Thus based on the network map 772 network interconnections between computing devices can be identified and thus routes and/or paths through the network and between devices can be discerned. In practice, the illustration of the computing system 200 provided in the dashed box of FIG. 7 constitutes a reasonable example of a network map (albeit with the addition of computing service information which may be absent in a map, and albeit without host device and configuration information which may additionally be present in a map).

The remainder of FIG. 7 should be read with further reference to FIG. 8 which is a flowchart of a method to identify an attacked computing device in a network-connected computer system 200 in accordance with embodiments of the present disclosure. The attack detector 770 of FIG. 7 is a software, hardware, firmware or combination component adapted to identify an attacked computing device in the network-connected computing system 200. The detector 770 initially receives the attack graph 230 at 802. Subsequently, at 804, the detector 770 receives the network map 772. The detector 770 includes a comparator component 778 as a hardware, software, firmware or combination component for comparing the attack graph 230 and the network map 772. The comparison (at 806) of the graph 230 and map 772 provides for an identification of computing devices in the system 200 that are necessarily involved in malicious network communication but that are not identified (such as by reference to their computing services) in the attack graph 230. For example, the attack graph 230 illustrated in FIG. 3 shows an attack path whereby the attacking user achieves trust between Host 0 and Host 2 by exploiting sv4 of Host 2 (leftmost path in the graph 230 of FIG. 3). However, according to the network map (exemplified by the illustration of the computing system in the dashed box of FIG. 7), Host 0 is separated from Host 2 by a Firewall. Thus a comparison of the attack path in the graph 230 and the network map 772 serves to identify a computing device (the Firewall) that must be involved in the malicious network communication. The comparison by the comparator 778 can be achieved by following each series of exploits in the graph 230, associating each exploit with a particular computing device in the system 200 (which may involve identifying candidate hosts based on exploited computing services), and identifying intermediate devices in communication between exploited devices as attacked computing devices.

Once identified, attacked computing devices can be subject to remedial and/or responsive measures or alerting can be performed to address the attack. Thus protective measures can be implemented to protect the computer system 200 from the attack. As will be appreciated by those skilled in the art, remedial and/or responsive measures as referred to herein can include: flagging an attack or malicious communication; disconnecting from the network one or more computing devices identified as being attacked or involved in malicious communication; performing anti-malware or anti-virus scans on identified computing devices; patching known vulnerabilities of identified computing services; and other responses and/or remediation's as will be apparent to those skilled in the art.

Insofar as embodiments of the disclosure described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present disclosure. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.

Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilizes the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present disclosure.

It will be understood by those skilled in the art that, although the present disclosure has been set out relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.

The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims. 

The invention claimed is:
 1. A computer implemented method to identify an attacked computing device in a system of network-connected computing devices providing a plurality of computing services with a processor integrated into a circuit, the method comprising: receiving, using the processor, a first data structure including data modeling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of the vulnerabilities to identify one or more series of exploits involved in a network attack; receiving, using the processor, a second data structure including data modeling the computing devices in the system including network connections of each computing device; and comparing, using the processor, the first data structure and the second data structure to identify the attacked computing device as an intermediate device in communications between at least two computing services in any of the one or more series of exploits by following each of the one or more series of exploits, associating each exploit with a particular computing device of the computing devices, and identifying any intermediate device in communication between exploited devices as the attacked computing device.
 2. The method of claim 1, further comprising, in response to the identification of the attacked computing device, implementing protective measures to protect the attacked computing device from the attack.
 3. The method of claim 1, wherein the first data structure is an attack graph.
 4. The method of claim 3, wherein the attack graph is a directed acyclic graph data structure.
 5. The method of claim 1, wherein the second data structure is a network map.
 6. The method of claim 1, wherein the second data structure is automatically generated by software adapted to map a networked computer system.
 7. A computer system comprising: a processor integrated into a circuit and memory storing computer program code including instructions for identifying an attacked computing device in a system of network-connected computing devices providing a plurality of computing services, including: wherein the instructions, when executed on the processor, cause the computer system to implement: receiving a first data structure including data modeling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of the vulnerabilities to identify one or more series of exploits involved in a network attack; receiving a second data structure including data modeling the computing devices in the system including network connections of each computing device; and comparing the first data structure and the second data structure to identify the attacked computing device as an intermediate device in communications between at least two computing services in any of the one or more series of exploits by following each of the one or more series of exploits, associating each exploit with a particular computing device of the computing devices, and identifying any intermediate device in communication between exploited devices as the attacked computing device.
 8. A non-transitory computer-readable storage medium storing a computer program element comprising computer program code to, when loaded into a computer system and executed by a processor integrated into a circuit thereon, cause the computer system to identify an attacked computing device in a system of network-connected computing devices providing a plurality of computing services, including: wherein the computer program code, when executed on the processor, cause the computer system to implement: receiving a first data structure including data modeling relationships between vulnerabilities of computing services in a first proper subset of the plurality of computing services and exploitation of the vulnerabilities to identify one or more series of exploits involved in a network attack; receiving a second data structure including data modeling the computing devices in the system including network connections of each computing device; and comparing the first data structure and the second data structure to identify the attacked computing device as an intermediate device in communications between at least two computing services in any of the one or more series of exploits by following each of the one or more series of exploits, associating each exploit with a particular computing device of the computing devices, and identifying any intermediate device in communication between exploited devices as the attacked computing device.
 9. The method of claim 1, wherein associating each exploit with a particular computing device includes identifying the particular computing device based on exploited computing services.
 10. The method of claim 1, wherein the attacked computing device is identified in the second data structure and not identified in the first data structure, wherein the attacked computing device is related to a service identified in both the first data structure and the second data structure. 